From 728997e1f29a22c0528ddedf2da576c7e54c0b1a Mon Sep 17 00:00:00 2001
From: dangered wolf <d@ngeredwolf.me>
Date: Tue, 22 Aug 2023 21:57:39 -0400
Subject: [PATCH] Improve security of set_base_redirect

---
 .env.example       |  1 +
 jestconfig.json    |  1 +
 src/constants.ts   |  1 +
 src/server.ts      | 17 +++++++++++++++++
 src/types/env.d.ts |  1 +
 webpack.config.js  |  1 +
 6 files changed, 22 insertions(+)

diff --git a/.env.example b/.env.example
index 240e3b8..206549f 100644
--- a/.env.example
+++ b/.env.example
@@ -1,4 +1,5 @@
 BRANDING_NAME = "FixTweet"
+STANDARD_DOMAIN_LIST = "fxtwitter.com,fixupx.com,twittpr.com"
 DIRECT_MEDIA_DOMAINS = "d.fxtwitter.com,dl.fxtwitter.com,d.pxtwitter.com,d.twittpr.com,dl.pxtwitter.com,dl.twittpr.com,d.fixupx.com,d.xfixup.com,dl.fixupx.com,dl.xfixup.com"
 TEXT_ONLY_DOMAINS = "t.fxtwitter.com,t.twittpr.com,t.fixupx.com,t.xfixup.com"
 INSTANT_VIEW_DOMAINS = "i.fxtwitter.com,i.twittpr.com,i.fixupx.com,i.xfixup.com"
diff --git a/jestconfig.json b/jestconfig.json
index c8bfe14..771d3c8 100644
--- a/jestconfig.json
+++ b/jestconfig.json
@@ -7,6 +7,7 @@
     "BRANDING_NAME": "FixTweet",
     "TEXT_ONLY_DOMAINS": "t.fxtwitter.com,t.twittpr.com",
     "INSTANT_VIEW_DOMAINS": "i.fxtwitter.com,i.twittpr.com",
+    "STANDARD_DOMAIN_LIST": "fxtwitter.com,fixupx.com,twittpr.com",
     "DIRECT_MEDIA_DOMAINS": "d.fxtwitter.com,dl.fxtwitter.com",
     "MOSAIC_DOMAIN_LIST": "mosaic.fxtwitter.com",
     "DEPRECATED_DOMAIN_LIST": "pxtwitter.com,www.pxtwitter.com",
diff --git a/src/constants.ts b/src/constants.ts
index 166d865..5c8ff7e 100644
--- a/src/constants.ts
+++ b/src/constants.ts
@@ -1,6 +1,7 @@
 export const Constants = {
   /* These constants are populated by variables in .env, then set by Webpack */
   BRANDING_NAME: BRANDING_NAME,
+  STANDARD_DOMAIN_LIST: STANDARD_DOMAIN_LIST.split(','),
   DIRECT_MEDIA_DOMAINS: DIRECT_MEDIA_DOMAINS.split(','),
   TEXT_ONLY_DOMAINS: TEXT_ONLY_DOMAINS.split(','),
   INSTANT_VIEW_DOMAINS: INSTANT_VIEW_DOMAINS.split(','),
diff --git a/src/server.ts b/src/server.ts
index 8634e80..95c1ecd 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -377,6 +377,20 @@ const setRedirectRequest = async (request: IRequest) => {
   const { searchParams } = new URL(request.url);
   let url = searchParams.get('url');
 
+  /* Check that origin either does not exist or is in our domain list */
+  const origin = request.headers.get('origin');
+  if (origin && !Constants.STANDARD_DOMAIN_LIST.includes(new URL(origin).hostname)) {
+    return new Response(
+      Strings.MESSAGE_HTML.format({
+        message: `Failed to set base redirect: Your request seems to be originating from another domain, please open this up in a new tab if you are trying to set your base redirect.`
+      }),
+      {
+        headers: Constants.RESPONSE_HEADERS,
+        status: 403
+      }
+    );
+  }
+
   if (!url) {
     /* Remove redirect URL */
     return new Response(
@@ -386,6 +400,7 @@ const setRedirectRequest = async (request: IRequest) => {
       {
         headers: {
           'set-cookie': `base_redirect=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT; secure; HttpOnly`,
+          'content-security-policy': `frame-ancestors ${Constants.STANDARD_DOMAIN_LIST.join(' ')};`,
           ...Constants.RESPONSE_HEADERS
         },
         status: 200
@@ -409,6 +424,7 @@ const setRedirectRequest = async (request: IRequest) => {
         {
           headers: {
             'set-cookie': `base_redirect=; path=/; max-age=0; expires=Thu, 01 Jan 1970 00:00:00 GMT; secure; HttpOnly`,
+            'content-security-policy': `frame-ancestors ${Constants.STANDARD_DOMAIN_LIST.join(' ')};`,
             ...Constants.RESPONSE_HEADERS
           },
           status: 200
@@ -429,6 +445,7 @@ const setRedirectRequest = async (request: IRequest) => {
     {
       headers: {
         'set-cookie': `base_redirect=${url}; path=/; max-age=63072000; secure; HttpOnly`,
+        'content-security-policy': `frame-ancestors ${Constants.STANDARD_DOMAIN_LIST.join(' ')};`,
         ...Constants.RESPONSE_HEADERS
       },
       status: 200
diff --git a/src/types/env.d.ts b/src/types/env.d.ts
index 568d1e6..c73b538 100644
--- a/src/types/env.d.ts
+++ b/src/types/env.d.ts
@@ -1,4 +1,5 @@
 declare const BRANDING_NAME: string;
+declare const STANDARD_DOMAIN_LIST: string;
 declare const DIRECT_MEDIA_DOMAINS: string;
 declare const TEXT_ONLY_DOMAINS: string;
 declare const INSTANT_VIEW_DOMAINS: string;
diff --git a/webpack.config.js b/webpack.config.js
index dd272c3..daba652 100644
--- a/webpack.config.js
+++ b/webpack.config.js
@@ -19,6 +19,7 @@ require('dotenv').config();
 
 let envVariables = [
   'BRANDING_NAME',
+  'STANDARD_DOMAIN_LIST',
   'DIRECT_MEDIA_DOMAINS',
   'TEXT_ONLY_DOMAINS',
   'INSTANT_VIEW_DOMAINS',